IN THE CLAIMS 

1 . (Currently Amended) A method for determining and enforcing service policies over a 
network, said method implemented in a service pohcy director , comprising the steps of: 

a. receiving authentication messages sent through an access server from a user to an 
authentication server ; 

b. determining from said authentication messages user identifiers and service attributes 
associated vvith said user; 

c. creating a user service policy entry in a user policy table, in a network device separate 
from the access server and the authentication server, for said identified user containing said 
service attributes; 

d. consulting said user policy table to determine how to manage said user traffic directed 
to a service-providing server and sent subsequent to said user authentication messages; md 

e. managin g said subsequent user traffic based on said consulting step. 

2. (Cancelled) 

3. (Previously Presented) A method for enforcing service policies over a network, as per claim 
1, wherein said user policy table is located within said service policy director . 

4. (Previously Presented) A method for enforcing service policies over a network, as per claim 1, 
wherein said service pohcy director offers internal network services comprising at least one of 
bandwidth management, access control or network usage statistics. 
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5. (Original) A method for enforcing service policies over a network, as per claim 1, wherein 
said authentication messages are using any of the Radius protocol or the LDAP protocol. 


6. (Previously Presented) A method for enforcing service policies over a network, as per claim 
1, wherein said service policy director functions in any one of, or a combination of, the following 
modes: 

a. transparent mode, wherein the authentication messages in a provider network pass 
through the service policy director without any modification to the IP addresses and data of said 
authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service policy director , said network device modifies IP addresses of said authentication 
messages without any modification to the data of said authentication messages; and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
the service pohcy director . 

7. (Currently Amended) A method for managing network user traffic received by a service 
pohcy director, said network user traffic being subsequent to any authentication which took 
place, including at least a request for a server or service, said method comprising steps of: 


a. determining by the service pohcy director a user pohcy table based on an at least an 
initial authentication message sent from a user to an authentication server using an access server : 

b. identifying a user originating said network user traffic; 
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c. consulting the user policy table stored in a network device separate from an access 
server and an authentication server, to locate a user service poUcy corresponding to said user; 
and 

d. managing said network user traffic based on said consulting step by any one or more of 
the following: 

i. forwarding network user traffic to a requested server, 

ii. redirecting network user traffic to a server providing a same service as a 
requested server, 

iii. sending network user traffic through filtering software before forwarding user 
traffic to a requested server, 

iv. denying transmission of user traffic on the basis of access privileges, 

V. counting or logging user traffic in order to provide network usage information, 

or 

vi. denying or delaying transmission of network user traffic on the basis of service 
level parameters. 


8. (Cancelled) 


9. (Currently Amended) A method for managing network user traffic received by a service 
policy director, as per claim 7, wherein authentication messages are using any of the Radius 
protocol or the LDAP protocol. 

10. (Previously Presented) A method for managing network user traffic received by a service 
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policy director , as per claim 7, wherein said network device offers internal network services 
comprising at least one of bandwidth management, access control or network usage statistics. 

1 1 , (Previously Presented) A method for managing network user traffic received by a service 
policy director , as per claim 7, wherein said network device functions in any one of the 

following modes: 

a. transparent mode, wherein the authentication messages in a provider network pass 
through the service pohcy director without any modification to the IP addresses and data of said 
authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service policy director , said network device modifies IP addresses of said authentication 
messages without any modification to the data of said authentication messages; and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
the service policy director . 

12. (Currentiy Amended) A method for enforcing service policies over a network, said method 
implemented in a service policy director comprising steps of: 

a. receiving authentication messages for a user fi-om an access server at said service 
policy director ; 

b. determining user identifiers and service attributes associated with said user from at 
least a first authentication message from an authentication server; 

c. creating a user service policy entry in a user policy table stored on a network device 
separate from said access and authentication servers, for said identified user based on said 
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d. consulting said user policy table to determine how to manage user traffic directed to a 
service-providing server sent subsequent to said user authentication message; and 

e. managing said subsequent user traffic including any one or more of the following: 

i. forwarding user traffic to requested server, 

ii. redirecting user traffic to a server providing same service as requested server, 

iii. sending user traffic through filtering software before forwarding user traffic to 
requested server, 

iv. denying transmission of user traffic on the basis of access privileges, 

V. counting or logging user traffic in order to provide network usage information 
or 

vi. denying or delaying transmission of user traffic on the basis of service level 
parameters. 

13. (Original) A method for enforcing service poUcies over a network, as per claim 12, wherein 
authentication messages are using any of the Radius protocol or the LDAP protocol. 

14. (Previously Presented) A method for enforcing service policies over a network, as per claim 
12, wherein said service policy director offers internal network services comprising at least one 
of bandwidth management, access control or network usage statistics. 

15. (Previously Presented) A method for enforcing service policies over a network, as per claim 
12, wherein said service policy director functions in any one of the following modes: 
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a. transparent mode, wherein the authentication messages in a provider network pass 
through the service poUcy director without any modification to the IP addresses and data of said 
authentication messages; 

b. proxy mode, wherein the authentication messages in a provider network pass through 
the service poHcy director , said network device modifies IP addresses of said authentication 
messages without any modification to the data of said authentication messages; and 

c. passive mode, wherein the authentication messages in a provider network are copied to 
the service poHcy director . 

16. (Currently Amended) A system for enforcing service policies over a network comprising the 
following: 

a user request-issuing device; 

an access server forwarding authentication messages and user traffic from and to the user 
request-issuing device; 

a service provider network over which user authentication messages and user traffic 
directed to service-providing servers, both of which originated bv -from said user request-issuing 
devic e, are4 s transmitted; 

an authentication server to which said user request-issuing device attempts to connect and 
by which said user request-issuing device is authenticated and registered; aad 

a network device, independent of said authentication server and said access server, 
including a service poUcy director, enforcing a service policy for said user request-issuing 
device, said network device receiving the authentication messages and creating the service policy 
there from, and 
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said service policy director enforcing said service policy on user requests directed to 
service-providing servers subsequent to the authentication and registration. 

17. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said service policy director includes a user policy table. 

18. (Original) A system for enforcing service policies over a network, as per claim 17, wherein 
said user poUcy table includes user identifier information and service attribute information. 

19. (Original) A system for enforcing service policies over a network, as per claim 18, wherein 
said user identifier information includes at least an Internet/intranet address. 

20. (Original) A system for enforcing service policies over a network, as per claim 19, wherein 
said user identification information further includes any of usemame, session identification or 
Internet cookie. 

21 . (Original) A system for enforcing service policies over a network, as per claim 1 8, wherein 
said attribute information includes any one or more of the following: access privileges 
parameters, traffic logging mechanisms and user activity statistics entitlement parameters, 
security services entitlement parameters, or service quality level parameters. 

22. (Original) A system for enforcing service policies over a network, as per claim 21, wherein 
said service quality level parameters include any one or more of the following: 
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a bandwidth limit, a bandwidth guarantee, or a bandwidth priority. 

23. (Previously Presented) A system for enforcing service policies over a network, as per claim 
18, wherein said service attributes define services offered by said service policy director, said 
services including any one or more of the following: classification of network user traffic, 
modification of network user traffic, forwarding of network user traffic, or logging of single 
network user traffic statistics. 

24. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device offers internal network services including at least one of bandwidth 
management, access control or network usage statistics. 

25. (Original) A system for enforcing service policies over a network, as per claim 18, wherein 
a plurality of said service policy directors reside on a network. 

26. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device including said service poUcy director fimctioning in a transparent mode, 
wherein the authentication messages in a provider network pass through the network device 
without any modification to the IP addresses and data of said authentication messages. 

27. (Ciurently Amended) A system for enforcing service policies over a network, as per claim 

26, wherein said service policy director fimctioning in said transparent mode receives said user 
authentication messages addressed to said authentication server and forwards said user 
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authentication request messages to said authentication server. 

28. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device including said service pohcy director functioning in a proxy mode, wherein 
the authentication messages in a provider network pass through the network device, said network 
device modifies IP addresses of said authentication messages without any modification to the 
data of said authentication messages. 

29. (Currently Amended) A system for enforcing service policies over a network, as per claim 
28, wherein said service policy director functioning in said proxy mode receives said user 
authentication messages addressed to said service policy director and forwards it to said 
authentication server. 

30. (Original) A system for enforcing service policies over a network, as per claim 16, wherein 
said network device comprising said service pohcy director functioning in a passive mode, 
wherein the authentication messages in a provider network are copied to the network device. 

31. (Cancelled) 

32. (Previously Presented) A method for enforcing service poUcies over a network, as per claim 
1, wherein said service pohcy director functions in a transparent mode, wherein the 
authentication messages in a provider network pass through the service pohcy director without 
any modification to the IP addresses and data of said authentication messages. 
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33. (Currently Amended) A method for enforcing service policies over a network, said 
method implemented in a service policy director comprising steps of: 

a. receiving authentication messages for a user firom an access server at said service 
policy director ; 

b. determining user identifiers and service attributes associated with said user from at 
least a first authentication message from an authentication server; 

c. creating a user service policy entry in a user policy table stored on a network device 
separate from said access and authentication servers, for said identified user based on said 
service attributes; 

d. consulting said user policy table to determine how to manage user traffic directed to a 
service-providing server and sent subsequent to said user authentication message; and 

e. managing said subsequent user traffic by sending user traffic through filtering software 
before forwarding user traffic to requested server. 

34. (New) A method for managing network user traffic received by a service policy 
director, said network user traffic being subsequent to any authentication which took place, 
including at least a request for a server or service, said method comprising steps of: 

a. determining by the service policy director a user poUcy table based on an at least an 
initial authentication message sent from a user to an authentication server using an access server; 

b. identifying a user originating said network user traffic; 

c. consulting the user policy table stored in a network device separate from an access 
server and an authentication server, to locate a user service policy corresponding to said user; 
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and 

d. managing said network user traffic based on said consulting step by any one or more of 
the following: 

i. redirecting network user traffic to a server providing a same service as a requested 
server, or 

ii. sending network user traffic through filtering software before forwarding user traffic to 
a requested server. 


84342 109_2.DOC 


-15- 


